Register Android Device With Google Account
Eliora Shopbell
To set up an Android device with a managed Google account, you just need to add the account to the device. How you add your account depends on whether you're setting up a new (or factory-reset) device or an existing device.
I'm trying to make a new PhoneAccount to use my implementation of ConnectionService. In the documentation it says I need to register a new PhoneAccount with TelecomManager and then select it in my phone-app's settings.
As you can see, it creates a new ComponentName that points towards my implementation of ConnectionService, then creates a new PhoneAccountHandle where I supply the ComponentName and a unique account-name. I then supply the PhoneAccountHandle in the PhoneAccount buildes, as well as label (a name?), to create a new PhoneAccount. Lastly I register the account in the telecomManager.
When building your PhoneAccount, you must add CAPABILITY_CALL_PROVIDER if you make and receive calls on your own, or CAPABILITY_CONNECTION_MANAGER if you want to make or receive calls using the builtin PhoneAccount. Without either, you won't show up in the UI.
As far as I can tell, there is no dedicated API for checking whether the user has enabled your PhoneAccount. However, you can use TelecomManager.addNewIncomingCall for this purpose. Simply provide a Bundle containing a boolean extra (named whatever you want) and set that boolean to true if you're really receiving a call or false if you just want to do a permission check (or vice-versa). Then your implementation of ConnectionService.onCreateIncomingConnection can check your extra and return Connection.createCanceledConnection if you're just doing a permission check. This does not register as a call in the call log, and the ringtone never plays. addNewIncomingCall will throw if your PhoneAccount is not enabled, and succeed if it is.
As noted in the comments above, you can prompt the user to enable your PhoneAccount using TelecomManager.ACTION_CHANGE_PHONE_ACCOUNTS. Because the user can enable or disable your PhoneAccount at any time, all operations that require an enabled PhoneAccount (like addNewIncomingCall) should be placed in a try block.
Here is a little more info that might be helpful to others. After you have configured your phone account, the user needs to enable permission for your app. Getting the user to that screen should be easier. I've only seen the TelecomManager.ACTION_CHANGE_PHONE_ACCOUNTS action, but it doesn't take you to the proper screen to enable the permission. You have to select "All calling accounts" after launching that activity.
Company Portal supports devices running Android 8.0 and later, including devices secured by Samsung KNOX Standard 2.4 and later. To learn how to update your Android device, see Check & update your Android version.
Samsung Knox is a type of security that certain Samsung devices use for additionalprotection outside of what native Android provides. To check if you have a Samsung Knox device, go to Settings > About device. If you don't see Knox version listed there, you have a native Android device.
Open the Company Portal app and sign in with your work or school account. If prompted to, review notification permissions for Company Portal. You can adjust notification permissions anytime in the Settings app.
Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately.
Microsoft does not control the messaging on this screen. We understand that its phrasing can seem somewhat drastic. Company Portal can't specify which restrictions and access are relevant to your organization. If you have questions about how your organization uses the app, contact your IT support person. Go to the Company Portal website to find your organization's contact information.
Before you try to install a school or work app, modify device settings to allow app installations from unknown sources. If you don't make this change on your device, apps installations will be blocked. Go to Settings > Security and privacy > Install unknown apps.
I ran a device management test on Intune with limited management on a group consisting of 1 laptop device and 1 user with the following Office 365 E3 license called user A.
My device was successfully managed by Intune and noted compliance policy configurations. User A logs in to the laptop device and uses it normally.
We only have a computer device management policy that has not implemented policies related to mobile devices.
The thing to note before logging in to the managed computer on user A is to log in and use apps like Outlook and Teams normally on his phone. However, after Mr. A is a member of a group managed by MDM, he cannot log in to the apps on his phone as before but requires him to register the device with the organization to be able to use those apps on the phone. That error code is 530003.
This ruined our plan when we originally intended to only manage devices that were company computers and users were added to a group managed by MDM to perform auto enrollment.
I checked the conditional access configurations only for devices that require MFA and also don't require approved client app or app protection policy.
So why does user A in a group managed by MDM have to register mobile devices?
Only user in the group managed by MDM or another user not in the group managed by MDM but logged into the laptop that is enrolled, the same thing happens to him on his personal mobile device.
Currently on Intune we also do not block Android or iOS devices.
I can show you my access policies if you need to.
There are two ways to configure Android: by using a Managed Google Play account (preferred) or using a managed Google domain (recommended by Google for G Suite customers). A Managed Google Play account is used when your business does not use G Suite and allows for multiple configurations of Android within your organization using a personal Google account. Workspace ONE UEM manages this account and requires no Active Directory sync or Google verification.
Setting up Android using managed Google domain (G Suite) requires your enterprise to set up a Google domain and must follow a verification process to prove that you own the domain. This domain can only be linked to one verified EMM account. The setup includes creating a Google Service Account and configuring Workspace ONE UEM as your EMM provider. Consider creating a Google account specifically for Android for your organization to use so as not to conflict with any existing Google accounts.
Important: When you create a Google account for the managed Google domain it is considered the administrator account for your domain. Consider adding additional users (Google accounts) to help you manage tasks in managed Google Play. Adding more Google accounts is useful in the event the primary Google account becomes inactive. If this happens, you can still access the managed Google domain and avoid unwanted behaviors. Furthermore, do not delete the Google Admin Account or EnterpriseID associated to your Android EMM Registration. Deleting may result in Android EMM Registration errors or failure.
The Google Service Account is a special Google account that is used by applications to access Google APIs and is required when setting up Android using the managed Google domain method for your business. The Google Service Account credentials are automatically populated when configuring Android Accounts when registering using managed Google play account. If you encounter an error while setting Android Accounts, clear your settings in the Workspace ONE UEM console and try again or create the account manually. For Google Accounts, consider creating your Google Service Account before either setup method.
Important: The setup of Android includes the integration of third-party tools that is not managed by VMware. The information in this guide for the Google Admin Console and Google Developer Console has been documented with the available version as of January 2018. Integration with a third-party product is not guaranteed and is dependent upon the proper functioning of the third-party solutions.
If your settings in the UEM console have been cleared, when you navigate to register with Google, you will see a message that prompts you to complete setup. You are redirected back to the Workspace ONE UEM console to finish setup.
Setting up your account with managed Google domain requires the organization to set up a Google domain if they do not already use one. You will also complete several manual tasks, such as verifying domain ownership with Google, obtaining an EMM token, and creating an enterprise service account to use this type of setup.
The Google Service Account is a special Google account that is used by applications to access Google APIs. You should create this account after you generate your EMM token so you can upload all information at one time.
The Google Admin credentials do not have to be associated with your business domain. Consider creating a Google account specifically for Android for your organization to use so as not to conflict with any existing Google accounts.
Define the Service Account name for your service account. Consider following the Android naming convention and be sure to note the name you choose as you will need it in further steps. Service Account ID is automatically generated. Click Create and Continue.
The identity certificate gets automatically created and downloaded to your local drive. Be sure to save your identity certificate and password for when you upload the certificate into the Workspace ONE UEM console.
Select Manage service accounts from the Service Account page. Under Advanced Settings, there is a link there to Learn More About Domain Wide Delegation Follow steps there to turn on domain-wide delegation.
f0a16ac21c